Wikipedia dodges critical vulnerability that could have let attackers take over

The possibility of Wikipedia being taken over by attackers was just foiled by quick action on the part of Wikimedia Foundation, the nonprofit that operates Wikipedia, with the help of Check Point, the security firm that discovered the critical security hole in its code.

"It is conceivable that someone who discovered this vulnerability could have executed code that may have made it possible to access user data," says Wikimedia Foundation spokesman Jay Walsh. But it was Check Point researchers who discovered this vulnerability first in the MediaWiki project Web platform, which is open-source code used to create and maintain wiki websites.

Check Point says what its researchers uncovered was a remote-code execution flaw in MediaWiki 1.8 onwards where the attacker could potentially gain complete control of the vulnerable web server. A patch "was applied to the software within 45 minutes of discovery," says Walsh. WikiMedia has also released the patch today so others can apply it to the open-source code as well.

This is only the third time since 2006 that a remote-code execution flaw had been identified in MediaWiki open-source code. If an attacker had discovered it first, then it would have been a "zero-day" vulnerability without a patch, says Patrick Wheeler, head of threat prevention product marketing at Check Point.

Check Point says if the vulnerability hadn't been discovered and fixed, an attacker could have been able to control the Wikipedia.org web server or any other wiki' site running on MediaWiki, and potentially inject and serve malware-infecting code to users visiting those sites.

This would have been a disaster to the millions of visitors to the site each month, and a blow to the respected open-source project that has helped foster the popular online Wikipedia encyclopedia.

Charles Henderson, director of application security services in Trustwave's SpiderLabs research division, says it's not that vulnerabilities are "necessarily better or worse" in open source as compared with closed source, proprietary code. The point is that open source code has become so widely used, including by business, any serious security issues in it that crop up can't be ignored.

Some open-source projects do a good job of managing security updates, says Henderson, while others seem more lax. But the openness of how code is developed and if necessary, patched, means that attackers can monitor open source development fairly easily, he says.

Sonatype CEO Wayne Jackson says the security of open-source code is getting more attention from those in the federal government, for example, who want to know more about how it gets developed. Jackson says there have been a string of security incidents associated with identified open-source vulnerabilities, such as last summer when a vulnerability in the Apache Struts web application framework was sold as an automated attack script in Chinese circles online. The Struts vulnerability was also tied to a cyber-intrusion into a Chicago-based trading exchange around that time, Jackson adds.

It's not unusual to find commercial software of one sort or another integrating open source. Jackson says one example is Sydney, Australia-based firm Atlassian which last summer publicly identified the Struts critical vulnerability in its software. He pointed out that Cisco also issued a security advisory last October related to Apache Struts remote-code execution vulnerability in its products.

It's often simple to identify sites built on open-source code such as Struts through a Google search, Jackson says.

Open-source code represents the modernization of software development, based on the idea of a "meritocracy" of achievement by software developers contributing into code they all share, Jackson says. But the downside is that "the ecosystem has treated open source like this huge sugar store, living off the sugar high of productivity."

One basic question about open-source is whether the organizations making use of it are even aware of it. "It's a fundamental problem," says Jackson. Sometimes it seems like the "bad guys are way more efficient than the good guys" in keeping track of open-source developments and usage.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.